Use the show running-config or
write net command in order to save the current PIX
configuration to a text file or a TFTP server.

Use the show version command in order to
display the serial number and activation key. Save this output to a text file.
If you need to revert back to an older version of code, you might need the
original activation key. For additional information on activation keys, refer
to
PIX
Firewall Frequently Asked Questions.

Ensure you have no conduit or
outbound commands in your current configuration.
These commands are no longer supported in 7.x and the upgrade process removes
them. Use the
Output Interpreter
(registered customers only)
tool in order to convert these
commands to access-lists before you attempt the upgrade.

Ensure the PIX does not terminate Point to Point Tunneling Protocol
(PPTP) connections. PIX 7.1 and later does not currently support PPTP
termination.

If you use Failover, ensure the LAN or Stateful interface is not
shared with any data that passes interfaces. For example, if you use your
Inside interface in order to pass data traffic as well as for your Stateful
failover interface (failover link inside), you must move the Stateful failover
interface to a different interface before you upgrade. Failure to do so causes
all configurations tied to the Inside interface to be removed. Also, data
traffic does not pass through the interface after the upgrade.

Ensure that the PIX runs version 6.2 or 6.3 before you proceed.

Read the Release Notes for the version you plan to upgrade to so that
you are aware of all new, changed, and deprecated commands.

Reference the
Upgrade
Guide for any additional command changes between versions 6.x and 7.x.

The information in this document is based on these software and
hardware versions:

PIX Security Appliance 515, 515E, 525, and 535

PIX Software versions 6.3(4), 7.0(1)

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Before you start the upgrade process to version 7.x, Cisco recommends
that the PIX run version 6.2 or later. This ensures that the current
configuration properly converts. In addition, these hardware requirements must
be met for minimum RAM and Flash requirements:

PIX Model

RAM Requirements

Flash Requirements

Restricted (R)

UnRestricted (UR) / Failover Only (FO)

PIX-515

64 MB*

128 MB*

16 MB

PIX-515 E

64 MB*

128 MB*

16 MB

PIX-525

128 MB

256 MB

16 MB

PIX-535

512 MB

1 GB

16 MB

* All PIX-515 and PIX-515E Appliances require a memory upgrade.

Issue the show version command in order to
determine the amount of RAM and Flash currently installed on the PIX. No Flash
upgrades are needed, as all PIX Appliances in this table have 16 MB installed
by default.

Note: Only the PIX Security Appliances in this table are supported in
version 7.x. Older PIX Security Appliances, such as the PIX-520, 510, 10000,
and Classic have been discontinued and do not run version 7.0 or later. If you
have one of these appliances and wish to run 7.x or later, contact your local
Cisco Account Team or Reseller in order to purchase a newer Security Appliance.
In addition, PIX Firewalls with less than 64 MB of RAM (PIX-501, PIX-506, and
PIX-506E) are unable to run the initial 7.0 release.

Visit the Cisco Software Center
(registered customers only)
in order to download PIX 7.x
software. TFTP server software is no longer available from Cisco.com. However,
you can find many TFTP servers when you search for "tftp server" on your
favorite Internet search engine. Cisco does not specifically recommend any
particular TFTP implementation. For more information, refer to the
TFTP server
page
(registered customers only)
.

Be aware that the upgrade of your PIX Security Appliance to version 7.x
is a major change. Much of the CLI is modified and therefore your configuration
after the upgrade will appear very different. Only upgrade during a Maintenance
window as the upgrade process requires some downtime. If you need to revert
back to a 6.x image, you must follow the Downgrade
procedures. Failure to do so causes the PIX to go into a continuous reboot
loop. In order to continue, locate your PIX Appliance model in this table and
then select the link to see instructions for how to upgrade.

Connect a console cable to the console port on the PIX with the use
of these communication settings:

9600 bits per second

8 data bits

no parity

1 stop bit

no flow control

Power cycle or reload the PIX. During bootup you are prompted to
use BREAK or ESC in order to interrupt Flash boot. You have ten seconds to
interrupt the normal boot process.

Press the ESC key or send a BREAK
character in order to enter Monitor Mode.

If you use Windows Hyper Terminal, you can press the
ESC key or press Ctrl+Break in order to send
a BREAK character.

If you Telnet through a terminal server to access the console
port of the PIX, you need to press Ctrl+] (Control + right
bracket) in order to get to the Telnet command prompt. Then enter the
send break command.

Note: Fast Ethernet cards in 64-bit slots are not visible in monitor mode.
This problem means that the TFTP server cannot reside on one of these
interfaces. The user should use the copy tftp flash
command in order to download the PIX Firewall image file through TFTP.

Enter Monitor Mode on the PIX. If you are unsure how to do this,
see the instructions for how to enter Monitor
Mode in this document.

Note: Once in Monitor Mode, you can use the "?" key to see a list of
available options.

Enter the interface number that the TFTP server is connected to, or
the interface that is closest to the TFTP server. The default is interface 1
(Inside).

monitor>interface <num>

Note: In Monitor Mode, the interface always auto negotiates the speed
and duplex. The interface settings cannot be hard coded. Therefore, if the PIX
interface is plugged into a switch that is hard coded for speed/duplex, then
reconfigure it to auto negotiate while you are in Monitor Mode. Also be aware
that the PIX Appliance cannot initialize a Gigabit Ethernet interface from
Monitor Mode. You must use a Fast Ethernet interface instead.

Enter the IP address of the interface defined in step 3.

monitor>address <PIX_ip_address>

Enter the IP address of the TFTP server.

monitor>server <tftp_server_ip_address>

(Optional) Enter the IP address of your gateway. A gateway address
is required if the interface of the PIX is not on the same network as the TFTP
server.

monitor>gateway <gateway_ip_address>

Enter the name of the file on the TFTP server that you wish to
load. This is the PIX binary image file name.

monitor>file <filename>

Ping from the PIX to the TFTP server in order to verify IP
connectivity.

If the pings fail, double check the cables, IP address of the PIX
interface and the TFTP server, and the IP address of the gateway (if needed).
The pings must succeed before you continue.

monitor>ping <tftp_server_ip_address>

Type tftp in order to start the TFTP download.

monitor>tftp

The PIX downloads the image into RAM and automatically boots
it.

During the boot process, the file system is converted along with
your current configuration. However, you are not done yet. Note this Warning
message after you boot and continue on to step 11:

******************************************************************
** **
** *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** **
** **
** ----> Current image running from RAM only! <---- **
** **
** When the PIX was upgraded in Monitor mode the boot image was not **
** written to Flash. Please issue "copy tftp: flash:" to load and **
** save a bootable image to Flash. Failure to do so will result in **
** a boot loop the next time the PIX is reloaded. **
** **
************************************************************************

Once booted, enter enable mode and copy the same image over to the
PIX again. This time use the copy tftp flash
command.

This saves the image into the Flash file system. Failure to perform
this step results in a boot loop the next time the PIX reloads.

PIX Security Appliances versions 7.0 and later use a different Flash
file format that earlier PIX versions. Therefore, you cannot downgrade from a
7.0 image to a 6.x image with the use of the copy tftp
flash command. Instead, you must use the
downgrade command. Failure to do so causes the PIX
to get stuck in a boot loop.

When the PIX was originally upgraded, the 6.x startup-configuration was
saved in Flash as downgrade.cfg. When you follow this downgrade procedure, this
configuration is restored to the device when it is downgraded. This
configuration can be reviewed before you downgrade when you issue the command
more flash:downgrade.cfg from an
enable> prompt in 7.0. Additionally, if the
PIX was upgraded via Monitor Mode, then the previous 6.x binary image is still
saved in Flash as image_old.bin. You can verify this image exists when you
issue the show flash: command. If the image exists
on Flash, you can use this image in step 1 of this procedure instead of loading
the image from a TFTP server.

Complete these steps in order to downgrade your PIX Security Appliance.

Enter the downgrade command and specify
the location of the image that you want to downgrade to.

pixfirewall#downgrade tftp://<tftp_server_ip_address>/<filename>

Note: If you upgraded your PIX from Monitor Mode, then the old binary
image is still saved in Flash. Issue this command in order to downgrade back to
that image:

pixfirewall#downgrade flash:/image_old.bin

A Warning message appears that alerts you that the Flash is about
to be formated. Press enter in order to continue.

This command will reformat the flash and automatically reboot the system.
Do you wish to continue? [confirm] <enter>

The image is now copied over into RAM, and the startup
configuration is also copied into RAM.

An upgrade from PIX Appliance 6.x to 7.x is a major upgrade. It cannot
be done without downtime, even for PIXes in a failover set. Many of the
failover commands change with the upgrade. The recommend upgrade path is to
power down one of the PIXes in the failover set. Then follow the instructions
in this document in order to upgrade the powered on PIX. Once the upgrade is
complete, verify that traffic passes, and also reboot the PIX once to verify it
comes back up without issue. Once you are satisfied that everything properly
works, power off the newly upgraded PIX and power on the other PIX. Then follow
the instructions in this document in order to upgrade the PIX. Once the upgrade
is complete, verify that traffic passes. Also reboot the PIX once in order to
verify it comes back up without issue. Once you are satisfied that everything
properly works, power on the other PIX. Both PIXes are now upgraded to 7.x and
powered on. Verify they establish failover communications properly with the
show failover command.

Note: The PIX now enforces the restriction that any interface that passes
data traffic cannot also be used as the LAN failover interface, or the Stateful
failover interface. If your current PIX configuration has a shared interface
that is used to pass normal data traffic as well as the LAN failover
information or the Stateful information, and if you upgrade, the data traffic
no longer passes through this interface. All commands associated to that
interface also fail.

Before you install ASDM, Cisco recommends that you read the Release
Notes for the version you plan to install. The Release Notes include the
minimum supported browsers and Java versions as well as a list of new features
supported and open caveats.

The process of installing ASDM is slightly different in version 7.0
than it has been in the past. Also, once the ASDM image is copied into the
Flash, you must specify it in the configuration so the PIX knows to use it.
Complete these steps in order to install the ASDM image into Flash.

Download the
ASDM image
(registered customers only)
from Cisco.com and place it in the root directory of your TFTP server.

Verify your PIX has IP connectivity to your TFTP server. In order
to do this, ping the TFTP server from the PIX.

From the enable prompt, issue the copy tftp
flash command.

pixfirewall>enable
Password: <password>
pixfirewall#copy tftp flash

Enter the IP address of the TFTP server.

Address or name of remote host [0.0.0.0]? <tftp_server_ip_address>

Enter the name of the ASDM file on the TFTP server that you wish to
load.

Source file name [cdisk]? <filename>

Enter the name for the ASDM file that you plan to save in Flash.
Press enter to keep the same file name.

Destination filename [asdm-501.bin]? <enter>

The image is now copied over from the TFTP server to Flash. These
messages appear and indicate that the transfer is a success.

If the PIX was upgraded from Monitor Mode to 7.0, but the 7.0
image was not re-copied into Flash after the first boot of 7.0, then when the
PIX is reloaded, it becomes stuck in a reboot loop.
The resolution is to load the image again from
Monitor Mode. After it boots up, you must copy the
image one more time with the use of the copy tftp
flash method.

When you upgrade with the copy tftp
flash method, you see this error message:

This message is typically seen when the PIX-535 or PIX-515 (non
E) is upgraded via the copy tftp flash method, and
PDM is also loaded in Flash on that PIX.
The resolution is to upgrade with the Monitor Mode method.

After you upgrade the PIX from 6.x to 7.0, some of the
configuration does not properly migrate.

The output of the show startup-config
errors command shows any errors that occurred during the
migration of the configuration. The errors appear in this output after you boot
the PIX for the first time. Examine these errors and attempt to resolve them.

The PIX runs version 7.x, and a newer version is installed.
When the PIX reboots, the old version continues to load.

In PIX version 7.x, you can save multiple images in Flash. The
PIX first looks in the configuration for any boot system
flash: commands. These commands specify what image the PIX needs
to boot. If no boot system flash: commands are
found, the PIX boot the first bootable image in Flash. In order to boot a
different version, specify the file with the use of the boot
system flash:/<filename> command.

An ASDM image is loaded into Flash, but users are unable to
load ASDM in their browser.

First, ensure the ASDM file loaded in Flash is specified by the
asdm image flash://<asdm_file> command.
Second, verify the http server enable command is in
the configuration. Finally, verify the host that attempts to load ASDM is
permitted via the http <address> <mask>
<interface> command.

FTP does not work after an upgrade.

FTP inspection was not enabled after the upgrade. Enable the
FTP inspection in one of two ways as shown in the Enable
FTP Inspection section.